lithermes-ai 0.8.7 → 0.8.9

package/README.md

@@ -62,7 +62,9 @@ Restart any running Hermes CLI or Hermes gateway process. Then open Hermes and t
 - `/lit-plan`: create a durable implementation plan.
 - Natural routing: a standalone `lit` or `litwork` in normal prose activates Litwork;
   `lit plan`, `lit review`, `lit research`, and `lit goal` route to the matching
-  Lithermes mode contract. Tokens inside code spans, fenced code, substrings,
+  Lithermes mode contract; `lit workflow` / `lit kanban` route durable work to
+  Hermes Kanban setup/proposal guidance, and `lit team` maps team-like work to
+  Kanban profile lanes instead of claiming a literal native team mode. Tokens inside code spans, fenced code, substrings,
   compounds, paths, and real slash-command mentions are ignored.
 - `/litwork-loop` and `/litwork-plan`: longer aliases.
 - `/lit_loop` and `/lit_plan`: gateway-friendly aliases for Telegram dispatch.
@@ -70,6 +72,12 @@ Restart any running Hermes CLI or Hermes gateway process. Then open Hermes and t
 - Interactive install spinner keeps terminal installs lively while redirected or scripted installs stay plain; use `npx lithermes-ai install --yes --no-spinner` for quiet terminal installs.
 - `/start-work`: execution-only for an approved plan. Natural-language `lit start work`
   is `BLOCKED` because a hook cannot switch Hermes commands; invoke `/start-work <plan>` explicitly.
+- `/review-work` records a local redacted `delegate_batch_intent` summary for its
+  single five-lane `delegate_task` batch under `.hermes/lithermes/runs/<run>/delegate_batches/<batch>/`.
+- Public retrieval hardening in `lit research`: public endpoints first,
+  structured attempt trace, HTTP 200 validation beyond status, login/paywall/CAPTCHA
+  refusal, private/loopback route refusal in the research contract, actionable
+  diagnostics, and A/B source comparison before synthesis.
 - LitHermes workflow skill set: `ai-slop-remover`, `comment-checker`,
   `debugging`, `deep-interview`, `frontend-ui-ux`, `git-master`, `init-deep`,
   `lsp`, `programming`, `refactor`,
@@ -91,8 +99,17 @@ Restart any running Hermes CLI or Hermes gateway process. Then open Hermes and t
   evidence, timeouts, or cleanup gaps block approval.
 - `lit research`: litresearch mode. Separate verified facts, hypotheses, sources,
   and uncertainty; keep any journal under `.hermes/lithermes/litresearch/`.
+  Public retrieval hardening tries public endpoints first, records a structured
+  attempt trace, validates more than HTTP 200, refuses login/paywall/CAPTCHA routes,
+  performs no network traffic itself, instructs refusal of private/loopback routes,
+  reports actionable diagnostics, and uses A/B checks.
 - `lit goal`: litgoal mode. Bind one objective plus checkable criteria through
   `goal_set` / `goal_*` tools; state lives in `.hermes/lithermes/litgoal/`.
+- `lit workflow` / `lit kanban`: durable-workflow mode. Probe `hermes version`,
+  `hermes kanban --help`, and `hermes profile list`; if setup is missing, print
+  `hermes kanban init` and `hermes gateway start` next steps. Create/propose a
+  Kanban root card only when setup and approval are present.
+- `lit team`: no literal native team mode is claimed; use Hermes Kanban profile lanes.
 - `lit start work`: `BLOCKED` unless the user invokes the native `/start-work`
   command. `/start-work` is execution-only for approved plans.
 

package/README_Ko-KR.md

@@ -62,13 +62,17 @@ npm 패키지명은 `lithermes-ai`이며, `lithermes`는 설치 후 CLI/plugin
 - `/lit-loop`: 같은 실행 loop를 명시적으로 호출합니다.
 - `/lit-plan`: 구현 계획을 먼저 세웁니다.
 - natural routing: 일반 문장 속 standalone lit / litwork / lit plan / lit review /
-  lit research / lit goal을 Hermes-native mode로 라우팅합니다. code spans,
+  lit research / lit goal을 Hermes-native mode로 라우팅하고, lit workflow / lit kanban은
+  Hermes Kanban setup/proposal 안내로, lit team은 literal native team mode가 아니라
+  Kanban profile lane으로 매핑합니다. code spans,
   fenced code, substring, compound token, path 안의 lit, 실제 slash-command 언급은 무시합니다.
 - `/litwork-loop`, `/litwork-plan`: 긴 이름의 alias입니다.
 - `/lit_loop`, `/lit_plan`: Telegram dispatch에 맞춘 gateway alias입니다.
 - 네이티브 `/goal` 바인딩: Hermes에는 model-facing goal tool이 없으므로 `/lit`, `/lit-loop`, `/lit-plan`은 세션 goal manager를 통해 네이티브 standing `/goal`을 대신 설정합니다(턴을 넘어 유지되고 네이티브 evidence-judge가 완료를 판정). success criteria와 증거는 durable `goal_*` 도구로 추적합니다.
 - interactive install spinner가 terminal 설치는 더 생동감 있게 보여주고, redirect/script 설치는 기존처럼 plain output을 유지합니다. 조용한 terminal 설치가 필요하면 `npx lithermes-ai install --yes --no-spinner`를 사용합니다.
 - `/start-work`: 승인된 plan만 실행하는 execution-only 명령입니다. 자연어 `lit start work`는 hook이 Hermes command 전환을 할 수 없으므로 `BLOCKED`되고, 사용자가 `/start-work <plan>`을 직접 호출해야 합니다.
+- `/review-work`: 단일 5-lane `delegate_task` batch에 대해 redacted local `delegate_batch_intent` 요약을 `.hermes/lithermes/runs/<run>/delegate_batches/<batch>/`에 기록합니다.
+- `lit research`에는 Public retrieval hardening이 적용됩니다. public endpoints first, structured attempt trace, HTTP 200 이상의 검증, login/paywall/CAPTCHA 거부, research contract 안의 private/loopback route 거부, actionable diagnostics, A/B source 비교를 synthesis 전에 요구합니다.
 - LitHermes workflow skill set: `ai-slop-remover`, `comment-checker`,
   `debugging`, `deep-interview`, `frontend-ui-ux`, `git-master`, `init-deep`,
   `lsp`, `programming`, `refactor`,
@@ -83,8 +87,12 @@ npm 패키지명은 `lithermes-ai`이며, `lithermes`는 설치 후 CLI/plugin
 - `lit` / `litwork`: 실행 discipline입니다. 직접 `lit <task>`는 `.hermes/lithermes/runs/`에 run state를 씁니다.
 - `lit plan`: planning-only입니다. 구현하거나 start-work를 호출하지 않고 plan을 만들고 승인 대기합니다.
 - `lit review`: review-work mode입니다. behavior, tests, docs/package readiness, security/safety, cleanup evidence를 5-lane으로 검증합니다.
-- `lit research`: verified facts, hypotheses, sources, uncertainty를 분리하고 journal은 `.hermes/lithermes/litresearch/`에 둡니다.
+- `lit research`: verified facts, hypotheses, sources, uncertainty를 분리하고 journal은 `.hermes/lithermes/litresearch/`에 둡니다. Public retrieval hardening으로 public endpoints first, structured attempt trace, HTTP 200 이상 검증, login/paywall/CAPTCHA 거부, private/loopback route 거부 지시, actionable diagnostics, A/B source check를 수행합니다.
 - `lit goal`: one objective plus checkable criteria를 `.hermes/lithermes/litgoal/`에 `goal_*` 도구로 기록합니다.
+- `lit workflow` / `lit kanban`: durable-workflow mode입니다. `hermes version`,
+  `hermes kanban --help`, `hermes profile list`를 먼저 확인하고, setup이 없으면
+  `hermes kanban init`, `hermes gateway start` 안내만 출력합니다. setup과 승인이 있을 때만 Kanban root card를 만들거나 제안합니다.
+- `lit team`: literal native team mode를 주장하지 않고 Hermes Kanban profile lane을 사용합니다.
 - `lit start work`: `BLOCKED`; 승인된 plan에 대해 native `/start-work <approved-plan>`을 직접 호출해야 합니다.
 
 Natural routing은 `code spans`, fenced code, `/lit` 같은 실제 slash-command mention,

package/assets/lithermes-plugin/README.md

@@ -21,7 +21,10 @@ CLI/plugin name, not the npm package name.
   execution-only and never bootstraps a plan from a brief.
 - The `pre_llm_call` hook injects an Litwork directive when the user says
   a standalone `lit` or `litwork`. It also routes `lit plan`, `lit review`,
-  `lit research`, and `lit goal` to the matching `lithermes:*` skill contract.
+  `lit research`, `lit goal`, and durable `lit workflow` / `lit kanban` / `lit team`
+  intents to the matching Hermes-native contract. Kanban routes are setup/proposal
+  guidance for Hermes Kanban profile lanes; `lit team` does not claim a literal
+  native team mode.
   Hermes has no model-facing goal tools, so a direct `lit <task>` (and the /lit
   command) binds the native standing `/goal` via the session goal manager;
   criteria + evidence use the durable `goal_*` tools.
@@ -36,7 +39,12 @@ CLI/plugin name, not the npm package name.
   `lithermes:lit-plan`, `lithermes:litgoal`, and `lithermes:litwork`.
 - Delegation fans lanes out through the native `delegate_task` tool (children
   run in parallel, the parent blocks for all); there is no named-agent registry
-  and no per-child model selection.
+  and no per-child model selection. Broad review commands record a local redacted
+  `delegate_batch_intent` summary under `.hermes/lithermes/runs/<run>/delegate_batches/<batch>/`.
+- Public retrieval hardening in `lit research` keeps external research public-only:
+  public endpoints first, structured attempt trace, validation beyond HTTP 200,
+  login/paywall/CAPTCHA refusal, private/loopback route refusal in the research
+  contract, actionable diagnostics, and A/B source comparison before synthesis.
 
 ## Mode Contract
 
@@ -47,9 +55,18 @@ CLI/plugin name, not the npm package name.
 - `lit review`: review-work verifies behavior, tests, docs/package readiness,
   security/safety, and cleanup evidence through a 5-lane all-or-nothing gate.
 - `lit research`: separate verified facts, hypotheses, sources, and uncertainty;
-  journals live under `.hermes/lithermes/litresearch/<slug>/`.
+  journals live under `.hermes/lithermes/litresearch/<slug>/`. Public retrieval
+  hardening tries public endpoints first, records a structured attempt trace,
+  validates more than HTTP 200, refuses login/paywall/CAPTCHA routes, blocks
+  no network traffic itself, instructs refusal of private/loopback routes, reports
+  actionable diagnostics, and uses A/B checks.
 - `lit goal`: bind one objective plus checkable criteria in
   `.hermes/lithermes/litgoal/`.
+- `lit workflow` / `lit kanban`: durable-workflow setup/proposal mode through
+  Hermes Kanban. Probe `hermes version`, `hermes kanban --help`, and
+  `hermes profile list`; initialize/start gateway if missing; create/propose a
+  Kanban root card only after setup and approval.
+- `lit team`: no literal native team mode is claimed; use Hermes Kanban profile lanes.
 - `lit start work`: `BLOCKED` in natural routing because `pre_llm_call` cannot
   switch Hermes commands. The user must invoke `/start-work <approved-plan>`.
 

package/assets/lithermes-plugin/core.py

@@ -198,6 +198,66 @@ def record_event(event: str, **fields: Any) -> None:
         pass
 
 
+_REMOTE_REF_RE = re.compile(r"https?://[^\s,;\"'<>]+", re.IGNORECASE)
+
+
+def _redact_local_only_preview(value: Any) -> str:
+    """Small local-only diagnostic preview for event metadata.
+
+    Delegate batch events must never become remote telemetry. Keep the preview
+    bounded, secret-redacted, and URL-redacted so audit logs prove intent without
+    preserving endpoints or pasted secret-bearing child context.
+    """
+    text = json.dumps(redact_obj(value), sort_keys=True) if not isinstance(value, str) else redact_text(value)
+    text = _REMOTE_REF_RE.sub("[REDACTED_URL]", text)
+    return text[:1000]
+
+
+def record_delegate_batch_intent(
+    *,
+    workspace: Path,
+    mode: str,
+    lanes: Iterable[str],
+    session_id: str = "",
+    context: Any = None,
+) -> dict[str, Any]:
+    """Record a local, redacted intent event for a Hermes delegate_task batch.
+
+    This is evidence only: it does not orchestrate workers, create persistent
+    teams, or send telemetry anywhere. Hermes still performs the actual short
+    parallel work through one synchronous delegate_task batch.
+    """
+    rid = run_id("lithermes")
+    batch_id = run_id("delegate-batch")
+    lane_list = [str(lane) for lane in lanes]
+    artifact_dir = lithermes_dir(workspace) / "runs" / rid / "delegate_batches" / batch_id
+    payload = {
+        "event": "delegate_batch_intent",
+        "timestamp": utc_now().isoformat(),
+        "session_id": session_id,
+        "run_id": rid,
+        "batch_id": batch_id,
+        "mode": mode,
+        "lanes": lane_list,
+        "artifact_dir": str(artifact_dir) + "/",
+    }
+    if context is not None:
+        payload["context_preview"] = _redact_local_only_preview(context)
+    try:
+        artifact_dir.mkdir(parents=True, exist_ok=True)
+        (artifact_dir / "summary.json").write_text(
+            json.dumps(redact_obj(payload), indent=2, sort_keys=True) + "\n",
+            encoding="utf-8",
+        )
+    except OSError:
+        pass
+    try:
+        append_jsonl(event_log_path(), payload)
+    except OSError:
+        pass
+    return redact_obj(payload)
+
+
 _RUN_CONTEXT_TASK_PATTERN = re.compile(r"^task:\s*(?P<task>.+?)\s*$", re.MULTILINE)
 
 
@@ -282,6 +342,17 @@ def detect_lit_mode(message: str) -> NaturalLitRoute | None:
         if token == "litwork":
             return NaturalLitRoute(mode="litwork", objective=_clamp_task(after), visible_message=visible)
 
+        for word in ("workflow", "kanban"):
+            rest = _after_mode_word(after, word)
+            if rest is not None:
+                return NaturalLitRoute(mode="durable-workflow", objective=_clamp_task(rest), visible_message=visible)
+
+        team_rest = _after_mode_word(after, "team")
+        if team_rest is not None:
+            mode_rest = _after_mode_word(team_rest, "mode")
+            objective = mode_rest if mode_rest is not None else team_rest
+            return NaturalLitRoute(mode="kanban-team", objective=_clamp_task(objective), visible_message=visible)
+
         start_rest = _after_start_work(after)
         if start_rest is not None:
             block = (
@@ -312,6 +383,33 @@ def detect_lit_mode(message: str) -> NaturalLitRoute | None:
 
 def build_natural_mode_context(route: NaturalLitRoute) -> str:
     objective = route.objective or "(no objective text supplied — ask for the missing objective if needed)"
+    if route.mode in {"durable-workflow", "kanban-team"}:
+        team_note = (
+            "Hermes has no literal native team mode; team-like work maps to Hermes Kanban profile lanes and worker lanes."
+            if route.mode == "kanban-team"
+            else "Hermes durable-workflow route: use Hermes Kanban for broad/background work."
+        )
+        return "\n".join(
+            [
+                f"<lithermes-natural-route mode=\"{route.mode}\">",
+                "Natural routing: durable-workflow intent -> Hermes Kanban.",
+                team_note,
+                f"Objective: {objective}",
+                "Mode Contract: setup/propose only unless Kanban is already available, initialized, and the user approved creation.",
+                "Capability probe before creating anything:",
+                "- hermes version",
+                "- hermes kanban --help",
+                "- hermes profile list",
+                "If setup is missing, do not fake a workflow start; print these next commands:",
+                "- hermes kanban init",
+                "- hermes gateway start",
+                "- hermes profile list",
+                "If setup and approval are present, create/propose a Kanban root card via kanban_create or `hermes kanban create`.",
+                "Root card fields: title/objective, acceptance criteria, assignee/profile, workspace, skills, dependencies, and goal_mode when open-ended.",
+                "External CLI worker lanes are not paved without a separate spawn_fn integration; do not promise them.",
+                "</lithermes-natural-route>",
+            ]
+        )
     if route.blocked:
         return "\n".join(
             [
@@ -352,6 +450,8 @@ def build_natural_mode_context(route: NaturalLitRoute) -> str:
                 "Natural routing: standalone lit research -> lithermes:litresearch.",
                 f"Research demand: {objective}",
                 "Mode Contract: separate verified facts, hypotheses, sources, and uncertainty. Do not present uncited claims as facts.",
+                "public-only retrieval hardening: try public endpoints first, keep a structured attempt trace, and never treat HTTP 200 alone as success.",
+                "Safety boundary: stop and report when a source requires login, paywall, CAPTCHA, credentials, or private/loopback network access.",
                 "Use Hermes-native delegate_task swarms when justified and keep any research journal under .hermes/lithermes/litresearch/<slug>/.",
                 "</lithermes-natural-route>",
             ]
@@ -986,6 +1086,16 @@ def command_review_work(raw_args: str) -> dict[str, str]:
         diff = diff[:60000] + "\n... [diff truncated at 60k chars — lanes should read full files as needed]"
     run_cmd = detect_run_command(workspace)
     files_block = changed or "(no changed files detected vs " + base + ")"
+    batch_event = record_delegate_batch_intent(
+        workspace=workspace,
+        mode="review-work",
+        lanes=[key for key, _ in REVIEW_LANES],
+        context={
+            "base": base,
+            "changed_file_count": len([f for f in changed.splitlines() if f.strip()]),
+            "run_command": run_cmd,
+        },
+    )
 
     lane_lines = []
     for key, brief in REVIEW_LANES:
@@ -998,6 +1108,7 @@ def command_review_work(raw_args: str) -> dict[str, str]:
         f"workspace: {workspace}",
         f"base: {base}",
         f"run command (for QA lane): {run_cmd}",
+        f"delegate batch evidence: {batch_event.get('artifact_dir', '')}",
         "",
         "Changed files:",
         files_block,

package/assets/lithermes-plugin/payload-version.json

@@ -1,7 +1,7 @@
 {
-  "syncedAt": "2026-06-19T02:30:00.000Z",
+  "syncedAt": "2026-06-23T00:00:00.000Z",
   "source": "source-reference",
-  "sourceHash": "0a2b29742e4410128d26429945f694c77d47dc5a0d3f80a6bda8b1cbbb21200f",
+  "sourceHash": "e7ade29b97ae79910c1ba3119192a95c347860b9729b069498a790a3ec383367",
   "files": [
     {
       "path": "NOTICE.md",
@@ -9,7 +9,7 @@
     },
     {
       "path": "README.md",
-      "sha256": "29a32fca9db9fd12a2a9e307e93f44ba2a8274fde19946011944958c1a1ebc6d"
+      "sha256": "1908cf5b7e356c214940435f5f52282417ed6c07e53b5a29489c734371dfeebe"
     },
     {
       "path": "__init__.py",
@@ -17,7 +17,7 @@
     },
     {
       "path": "core.py",
-      "sha256": "d0689b196a2721c99c3c83a5e82482869da0d80e57a52c07f54d9268989c31b0"
+      "sha256": "a08610a52b32922c78a22613cd98d3e9e18b5899c45375f7981517e6b79da7d9"
     },
     {
       "path": "litgoal/__init__.py",
@@ -49,7 +49,7 @@
     },
     {
       "path": "plugin.yaml",
-      "sha256": "9d49a09370193484755d21941af9f6d977dfef780c7a8d6657c115ff643b0bbd"
+      "sha256": "65ea33f8f8ed91328cdaea3ea742325b409bc180df1f6b3cd71270aceecbae92"
     },
     {
       "path": "redaction.py",
@@ -65,7 +65,7 @@
     },
     {
       "path": "skills/debugging/SKILL.md",
-      "sha256": "48bdb0df0f41633aca17d6193aa98aabac4c49cc25c36e50f26b020f89f77d43"
+      "sha256": "5b1b4f536579d0fb459eb9e5a79ee7d70bad26149799c0417b3c258b3f00bba5"
     },
     {
       "path": "skills/debugging/references/methodology/00-setup.md",
@@ -169,7 +169,7 @@
     },
     {
       "path": "skills/litresearch/SKILL.md",
-      "sha256": "363468a509f7743037b2f132171b7b1351d11c10680985a49cab1693855a0a20"
+      "sha256": "f8352bbbeb6a52409de349de9d2cc423606ade759431a558fdf040ebc786db4f"
     },
     {
       "path": "skills/litwork/SKILL.md",
@@ -281,7 +281,7 @@
     },
     {
       "path": "skills/programming/SKILL.md",
-      "sha256": "ffb201197e7386c848f8efb9b90d0a024d7b8000e8bea1b13b0ed7a83627a56b"
+      "sha256": "a373df296ce4ce7e0fed2118a11e6cc70eedcc6e81520035d097d079a6484f99"
     },
     {
       "path": "skills/programming/references/go/README.md",
@@ -569,7 +569,7 @@
     },
     {
       "path": "skills/refactor/SKILL.md",
-      "sha256": "d4e160e256b5a5e1fae4170edeee7a6bc8e2338bbebec797e24f07ea70687a10"
+      "sha256": "37913c1154e1110492f14cafe3836e344728b1fd85a7a324e837e52b9f03e3d6"
     },
     {
       "path": "skills/remove-ai-slops/SKILL.md",
@@ -577,7 +577,7 @@
     },
     {
       "path": "skills/review-work/SKILL.md",
-      "sha256": "4af425ec7924f1cd3d5fac633351f84d587cbaa68498d46daad9faf066c937ec"
+      "sha256": "a232c83f95b2109231c4b752267d5bc0a96a4c853c7e7b8b590c73445391d94a"
     },
     {
       "path": "skills/rules/SKILL.md",

package/assets/lithermes-plugin/plugin.yaml

@@ -1,5 +1,5 @@
 name: lithermes
-version: 0.8.7
+version: 0.8.9
 description: "Hermes-native workflow toolkit: litgoal durable runtime, 5-lane review orchestrator, Litwork commands, skills, and prompt steering."
 author: "Hermes Agent"
 kind: standalone

package/assets/lithermes-plugin/skills/debugging/SKILL.md

@@ -67,7 +67,7 @@ Each phase has exactly one reference. Read it as you enter the phase — not in
 | 0 | **Environment assessment** — know the runtime, ports, symbols, env vars, watchers before attaching | [references/methodology/00-setup.md](references/methodology/00-setup.md) |
 | 1 | **Journal setup** — single `.debug-journal.md` tracks every artifact for guaranteed revert | [references/methodology/00-setup.md](references/methodology/00-setup.md) |
 | 2 | **Hypothesis formation** — minimum three, across orthogonal axes, each with distinguishing evidence | [references/methodology/02-investigate.md](references/methodology/02-investigate.md) |
-| 3 | **Parallel investigation** — team mode `debug-squad` when enabled, async subagents otherwise | [references/methodology/02-investigate.md](references/methodology/02-investigate.md) |
+| 3 | **Parallel investigation** — one Hermes-native `delegate_task` batch for short investigations; use Kanban profile lanes for durable/background debugging programs | [references/methodology/02-investigate.md](references/methodology/02-investigate.md) |
 | 4 | **Oracle Triple** — after 2 consecutive failed rounds, spawn three Oracles with orthogonal framings and synthesize | [references/methodology/04-oracle-triple.md](references/methodology/04-oracle-triple.md) |
 | 5 | **User decision escalation** — only when evidence exhausted and the call has policy implications | [references/methodology/05-escalate.md](references/methodology/05-escalate.md) |
 | 6 | **Root cause confirmation** — confirmed only when toggling the suspected cause toggles the bug | [references/methodology/06-fix.md](references/methodology/06-fix.md) |

package/assets/lithermes-plugin/skills/litresearch/SKILL.md

@@ -28,6 +28,11 @@ If a single retrieval would answer it, do that directly and do not invoke litres
 
 Everything in this skill runs on one tool: the native `delegate_task`.
 
+Use this mode for short, in-turn research where the parent should wait for the
+parallel children and synthesize their returns. If the user asks for durable,
+background, dynamic-workflow-style collaboration, route to Hermes Kanban (`lit workflow`
+/ `lit kanban`) instead of stretching `delegate_task` into a queue.
+
 - **Parallel swarm fan-out** is a single `delegate_task` call carrying a `tasks` array — one entry per worker. The parent blocks until every child in the batch stops, then you merge their returns. This replaces any notion of a separate workflow tool, background spawning, or named-agent registry: there is no `subagent_type`, no per-child model selection, and no foreign agent name. You shape each child entirely through its `goal`, `context`, optional `toolsets`, and optional `role`.
 - **Worker roles** (codebase explorer, web/docs librarian, browsing, repo deep-dive, verifier) are not registered agents. Each is a read-only `delegate_task` child whose `goal`/`context` fully describe the role's mandate, scope, protocol, and required reply tail. Two children differ only by the text you give them.
 - **Recursion** comes from your expansion waves, not from a child spawning its own children. Children are leaves; depth is the parent's job.
@@ -124,6 +129,18 @@ Delegated children default to thin single-pass retrieval. Counter this in every
 
 Web and docs lanes are only as good as their query craft. Embed this playbook in each web child's `goal`/`context`, and apply it yourself whenever the main session drives the web-search tool directly.
 
+### Public retrieval hardening
+
+Use this public-only retrieval protocol whenever a web/docs lane fetches a page or an external repository:
+
+1. **Public endpoints first.** Prefer official docs, canonical feeds, package registries, code-host permalinks, public metadata endpoints, and sitemap-linked pages before generic page scraping or rendered browsing.
+2. **Structured attempt trace.** For each source, record `route`, `url`, `status`, `content_kind`, `validation`, `verdict`, and `next_action` in the journal. A route is not successful until validation says the content answers the sub-question.
+3. **HTTP 200 is not proof.** Treat HTTP 200 as only a transport signal; validate body size, expected content type, JSON parseability when relevant, missing/empty bodies, challenge pages, redirect surprises, and the presence of the expected topic or selector.
+4. **Public boundary.** Stop instead of bypassing when a source requires login/paywall/CAPTCHA, credentials, paid access, private cookies, or user-specific state. Report the boundary and continue with other public sources.
+5. **Network safety.** Do not fetch private/loopback, link-local, multicast, reserved, or cloud-metadata addresses, including after redirects. Reject non-http(s) schemes unless the host tool explicitly supports them as local file reads in the current workspace.
+6. **Actionable diagnostics.** When a lane cannot retrieve enough evidence, say which public routes were tried, which validations failed, and what safe next route remains; do not collapse every failure into “blocked”.
+7. **A/B evidence.** For important claims, compare at least two independent public retrieval routes when possible, for example official docs vs release notes, registry metadata vs repository tags, or rendered page text vs source permalink. Record disagreements before synthesis.
+
 **English first.** Run every search in English by default — it is the largest, most authoritative corpus on every engine, code host, and documentation site. Add a secondary local-language sweep (one or two extra lanes) only after the English sweep, when the topic is inherently local, or when the user asks for sources in a specific language.
 
 **≥10-query floor.** Each web lane runs at least 10 distinct web-search queries, every one varying a different operator or angle — the same query twice wastes the lane. Fetch the full page for every result that matters; snippets mislead.

package/assets/lithermes-plugin/skills/refactor/SKILL.md

@@ -32,6 +32,11 @@ section wins — every foreign delegation call in the prose below is a LEGACY il
 copied from another harness; never call any of them literally, map each to a
 `delegate_task` child.
 
+For durable/background refactor programs that need profile assignees, dependencies,
+comments, and audit trails over time, use Hermes Kanban through the `lit workflow` /
+`lit kanban` route. Do not fake a persistent refactor team on top of short `delegate_task`
+batches.
+
 export const REFACTOR_TEMPLATE = `# Intelligent Refactor Command
 
 ## Usage

package/assets/lithermes-plugin/skills/review-work/SKILL.md

@@ -22,6 +22,11 @@ the five lane briefs plus the gate contract. Then:
 Lane → child mapping (dispatch all five in the single batch):
 `goal` · `qa` · `code-quality` · `security` (supplementary) · `context/docs/package`.
 
+The `/review-work` command records a local, redacted `delegate_batch_intent` event and
+summary directory before handing off to the model. Treat this as audit evidence only:
+it does not create a persistent team, does not make remote telemetry, and does not
+replace Hermes' fork/join `delegate_task` execution.
+
 Each child returns: `verdict` (PASS|FAIL), `confidence`, and findings with `file:line`.
 The review must cover behavior, tests, docs/package readiness, security/safety,
 and cleanup evidence; green tests without a real-surface probe are insufficient.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lithermes-ai",
-  "version": "0.8.7",
+  "version": "0.8.9",
   "description": "npx/bunx installer for the LitHermes Hermes plugin",
   "license": "MIT",
   "repository": {